About Destination Canada
The Canadian Tourism Commission, operating as ‘Destination Canada’ (DC), is a Crown Corporation wholly owned by the Government of Canada. Established in 2001 under the Canadian Tourism Commission Act, DC markets Canada internationally. Its aim is to provide a consistent voice for Canada in the international tourism marketplace, and to sustain a vibrant and profitable tourism industry by supporting cooperative relationships between the public and private sectors.
Tourism partnerships, promotion and marketing
In keeping with its mandate to promote and encourage Canadian tourism, DC engages in marketing activities with public and private sector organizations. This work includes partnered global marketing and sales programs geared at developing a strong Canadian brand presence internationally. Our partners range from small-to-medium-size enterprises to large tourism-focused businesses. DC also interacts regularly with partners in the tourism industry, such as provincial and destination marketing organizations and trade associations.
Tourism and travel research
DC offers a variety of tools and resources to small and medium-sized tourism enterprises. This includes research and market intelligence reports geared at supporting and encouraging Canadian travel. Both tourism partners and individuals can subscribe to our news reports for regular updates about Canadian tourism research and statistics, marketing programs, travel issues, industry trends and more.
In addition to our tourism marketing and research efforts, DC works collaboratively with a range of industry associations and private-sector partners to encourage the hosting of business events in Canada. Business events help increase exports of Canadian goods and services, encourage attendance at Canadian educational facilities, boost direct foreign investment in Canada, and leverage Canada’s overall brand in encouraging commercial activity.
In order to fulfill its legal mandate, DC may collect, use, and disclose “personal data”. This includes data from consumers (such as visitors to our website or newsletter subscribers), and data from our tourism partners (such as destination marketing agencies, travel agents and tour operators).
At DC, we are committed to safeguarding the privacy of all individuals who entrust us with their personal data. This policy is meant to help individuals understand what information we collect, why we collect it, and how it is managed. The policy applies where we are acting as a “data controller”, that is, where we determine both the purpose and means of processing of personal data. DC does not process data on behalf of others.
What we collect
DC limits its collection of personal data to that which is authorized under an operating program or activity of the corporation. This includes information provided directly from consumers and/or tourism partners, or that provided through the use of our website or services, as set out in the following section. For a full index and description of our personal data holdings, see our “Personal Information Index”.
Why we collect it
In addition to the collection of usage data, we may collect and process information that you provide to us for the purpose of subscribing to our email notifications, research and/or newsletters ("notification data"). This includes DC news, story ideas, tourism snapshots, special offers, incentives and contests, and specialist programming. Notification data may include your email address, name, and organization type, as provided by you. Notification data may be processed for the purposes of sending you publications that you’ve elected to receive, in keeping with our mandate.
Where you elect to contact us, we may collect and process information contained in or relating to any communication that you send to us ("correspondence data"). Correspondence data may include your contact information, the contents of your communication, and any metadata associated with the communication. Correspondence data may be processed for the purposes of communicating with you and/or your organization, and for general record-keeping, in keeping with our mandate.
In the course of fulfilling our mandate, we may collect and process information about our customers and tourism partners (e.g., travel agencies, tour operators, venues, event planners, provincial and territorial destination tourism marketing agencies, and conference or training organizers). Customer and partner information ("customer relationship data") may include an individual’s name, his or her employer, job title or role, contact details, and information contained in communications between DC and the program partner, including event information. Customer relationship data is sourced directly from the individual or his or her employer. It may be processed for the purposes of managing our relationships with tourism partners, communicating with partners, keeping records of those communications, and for promoting products, services, and events in keeping with our mandate. In some cases, we may obtain consent prior to collecting customer relationship data.
If you apply for employment at DC, in order to process your job application we may collect and process data about your career interests and employment history (“job applicant data”). Job applicant data is used for staffing and recruitment activities, and to maintain an inventory of candidates for current and future work opportunities. Personal information will only be used for legitimate business interests, and only then with your express consent.
How it is managed
In keeping with our commitment to privacy, we have put in place appropriate technical and organizational measures to help ensure that personal data we collect is protected and properly handled. This includes a Privacy Management Framework that sets out key responsibilities for privacy and the protection of personal information. The Privacy Management Framework also establishes a common set of standards and practices for the handling of personal information across the corporation. In addition to supporting individual accountability for privacy, the Framework helps to promote a coherent and effective organizational approach for privacy protection.
Each year we update and publish a full inventory of our personal data holdings. Our publicly available Personal Information Index describes what personal data we collect, the purposes for which that data is collected, how the data may be used, who we share that data with, how long it is retained, and how individuals to whom the information belongs may access the data.
Personal data held by DC is safeguarded in accordance with government standards for the protection of personal information. Generally speaking, personal data is secured in a manner commensurate with its sensitivity. In order to help safeguard personal data, DC has a formal information security program in place. The program includes physical, technical, and organizational measures designed to protect against anticipated threats to personal data. Those measures also help prevent the unauthorized disclosure, access, or use of personal data.
In addition to the above security practices, DC regularly conducts privacy impact assessments (PIAs) in relation to new or substantially modified programs and services involving the use of personal data. PIAs help identify, measure and mitigate the privacy risks associated with the introduction of new programs or services, ensuring that privacy is a core consideration in the design, development and operation of all programs and services involving the use of personal data. In keeping with our commitment to transparency and openness, we post summaries of our PIAs on our external website.
Limited sharing and retention
DC does not share your personal data with other companies, organizations or individuals, except with your consent (or where authorized by law). Personal data is never sold, and is never used except in keeping with the purposes for which it was first collected. In some cases, we may provide your personal data to trusted program partners or service vendors for processing. In such instances, we ensure that the organizations we share your data with comply with strict instructions for the proper handling of that data.
We only retain personal data for so long as it is required to fulfill the purpose for which it was first collected. Personal data that is used to make a decision that may impact an individual is retained for a minimum of two years, as required under Canada’s Privacy Act. When personal data is no longer required, it is securely destroyed or de-identified.
Universal data rights
Individuals have the right to request a confirmation as to whether or not DC processes their personal data. Where we do, the individual has the right to access that personal data. Providing the rights and freedoms of others are not affected, and except as provided under the Privacy Act, we will supply individuals with a copy of their personal data at no cost.
Individuals can request a copy of their personal data by contacting our Privacy Office at email@example.com, or by telephone at +1.604.638.8300.
We make reasonable effort to ensure that your personal data is as accurate, complete and up-to-date for the purposes for which it is to be used. You have the right to have your personal data corrected where inaccurate or incomplete. Corrections are best processed by contacting the official or department at DC to which your information was first provided. If you have provided your personal data to DC using an on-line form, you may be able to update that information by amending your on-line profile, or by following the link on DC-provided publications.
Individuals can also request corrections to their personal data by contacting our Privacy Office at firstname.lastname@example.org, or by telephone at +1.604.638.8300
Concerns relating to DC’s collection, use or disclosure of personal data may be communicated to DC’s Privacy Office at email@example.com. Failing the resolution of a privacy concern or issue, individuals may exercise their right to pursue outstanding matters by way of a complaint to the Office of the Privacy Commissioner of Canada.
Rights specific to residents of the European Union
DC is subject to Canada’s Privacy Act. We strive however to comply with the privacy laws and regulations of all jurisdictions in which we have an establishment and market to, including the European Union (EU). Subject to the Privacy Act and the laws of Canada, EU residents may have the following additional rights, as provided by the General Data Protection Regulation (GDPR).
In some circumstances, EU residents may have the right to the erasure of their personal data. The right to erasure may be exercised where: personal data is no longer necessary in relation to the purposes for it was first collected or otherwise processed; consent is withdrawn (where data processing was based on consent); there is no further legitimate interest in processing the data; data is being used for direct marketing purposes on the objection of the individual; or where the personal data has been unlawfully processed. This right is not absolute. DC may continue to process personal data of EU residents where the processing is necessary for compliance with a legal obligation, or for the establishment, exercise or defence of a legal claim.
In some circumstances, residents of the EU may have the right to restrict the processing of their personal data. Such circumstances include: where the accuracy of the individual’s personal data is contested; where processing is unlawful but erasure is opposed; or where personal data is no longer needed for the purposes of processing, but where the individual requires personal data for the establishment, exercise or defence of a legal claim. Where processing has been restricted, DC may continue to store that personal data. In such cases, we will only process your personal data with your consent or: for the establishment, exercise or defence of legal claims; for the protection of the rights of another natural or legal person; or for purposes of an important public interest.
In some circumstances, residents of the EU may have the right to receive personal data they have provided to DC (as data controller) in a portable manner (i.e., in a format that is structured, commonly used, and machine readable). EU residents may also have the right to request that DC transmit that data to another data controller. The right to data portability only applies when personal data is provided on the basis of consent, or for the purposes of a contract, and where DC processes that data by automated means. Except with respect to job applicant data supplied through our on-line application platform, DC does not process data automatically.
“Personal data” means information about an identifiable individual that is recorded in any form, as provided in section 3 of Canada’s Privacy Act.
“Data controller” means a legal person which, alone or jointly, determines the purposes and means of processing personal data.
“Personal Information Index” refers to the index and description of personal data collected and processed by Destination Canada, as set out in section 11(1) of Canada’s Privacy Act.